Close

Timeline of Issues

Security Issues & Responses

All the Issues, fixes, responses and more surrounding the COVID-Zoom time in 2020. Some information gathered from this CNET article that collected a lot of these issues.

First "Zoom bombings" reported

March 17 | First news article I can find

The Verge Reporter Casey Newton and investor Hunter Walk hosted a public zoom call daily called WFH Happy Hour. A troll joined their call and began to screen share horrifying and inappropriate images to all the many participants. Although it probably happened before, this appears to be the first time it got mainstream media coverage, and it just grew from this point.

Zoom privacy policy exposes a lot of data

March 24 | Date of Discovery

The Zoom privacy policy for a while was very unrestrictive. It allowed them to use anything from your call: video, audio, screen sharing, names, messages and more. This presents the first major privacy concern of the COVID-Zoom time. This didn’t originally get much media coverage until a little later when there were other issues. Consumer Reports initially made the discovery and raised concerns about this. This could simply be a mistake from an inexperienced legal time, or it could be done with malintent.

iOS app sends data to Facebook

March 26 | Date of Discovery

The Zoom developers implemented the whole of the Facebook SDK into the app. This was done so they could have the login with Facebook button on their app. This meant that the Facebook SDK would start up with the app and collect data for Facebook. It’s hard to fully blame the developers here when Facebook is the one collecting the data, but they did implement this SDK into their app without fully checking to see what it could do. Maybe it’s simply a slip in their procedure or maybe a flaw in their procedure.

Zoom fixes Facebook data collection

March 27 | Date fixed

Zoom removes the Facebook SDK and implements login with Facebook in a safer way. They apologize and call it an “oversight”. Again, this entirely could be an oversight and was fixed very quickly.

Zoom fixes privacy policy

March 29 | Date Changed

Zoom changes privacy policy to fix issues that consumer reports originally discovered. This means that Zoom said they would now not keep users’ data or use it for advertising. That’s excluding if the user requests it such as storing their call recording in Zoom’s cloud storage. Zoom again fixes this issue quickly meaning there could be no malintent with the original policy.

FBI warns about Zoom bombing

March 30 | Date of Warning

By this point zoom bombings are common and in the media alot. The FBI gives recommendations designed for schools on how to avoid Zoom bombing. These are basically the same recommendations the media was also giving to prevent Zoom bombing.

NY Attorney General Investigates Zoom

March 30 | Date of letter sent

New York State Attorney General sent a letter to Zoom asking about their security measures, any changes they’re making, and some specific issues. This expresses the first major concern of the government over security issues.

First Zoom lawsuit

March 30 | Date Filed

The case is Cullen v. Zoom Video Communications. This is alleging that they are sharing user data illegally to Facebook under the CCPA. This is basically saying the issue with sending data to Facebook in their iOS app is illegal under California consumer data protection laws.

Sketchy MacOS installation

March 30 | Date of Discovery

March 30th was not a good day for Zoom apparently, and their stock on that day would agree. This time twitter user @c1truz_ discovered that zoom’s installer on macOS uses the code that MacOS installers run beforehand to check if a system is compatible to install the software. This is not really appropriate to do and allows for software to be installed without any user input. It’s also worth noting that this is how Mac Malware installs. It’s just interesting that Zoom acts as Malware. This also shows more that the Zoom team appears to be inexperienced or unprepared despite being a 9-year-old company.

Directory system leaks emails

March 31 | Date of Discovery

Zoom had a system were all emails of the same domain would show up in their directory in the Zoom app. So skyler@quitzoom.com could see contact@quitzoom.com and the other way around in the directory. But, if skyler@gmail.com and contact@gmail.com were registered they couldn’t see each other. Well, it didn’t work for some email domains, there were some dutch isp’s whose email addresses showed up in the directory system. Basically, emails were leaked through their directory system but only some obscure ones. Although, this just seems like more lazy development.

Not really end-to-end encryption

March 31 | Date of Discovery

Zoom claimed to use end-to-end encryption. They don’t. They use transport encryption, basically in-between encryption. It means that like with end-to-end if someone intercepted your call it would be encrypted and they wouldn’t be able to see anything. But, if someone at zoom wanted to see your recording they could see it unencrypted. End-to-end encryption tends to be the industry standard and not only isn’t available with Zoom, but they claim it is. Either these developers aren’t careful or experienced or there is malintent. With all these mistakes or malintent it becomes hard to trust the company.

Second Zoom lawsuit

March 31 | Date Filed

This lawsuit is for the same thing as the first lawsuit. It’s again about the user data being sent to Facebook from the Zoom app. The source here is just a Dropbox article of the legal documents, because a second lawsuit over the same thing isn’t newsworthy.

Zoom exploit to take Windows password

March 31 | Date of Discovery

A Zoom exploit was discovered that could be used to steal a Windows user’s username and password. The exploit involves sending a link in zoom chat that when clicked will use the windows SMB protocol to attempt to login to a remote system. To login to the system, it will use the user’s windows credentials in a sort of secure way which the hacker could then easily crack. So, in summary, if a user clicks this link in a Zoom chat it will send their username and password to a remote hacker.

Password exploit possible on Mac?

April 1 | Date of Discovery

I can’t entirely verify the reliability of this, but the basic idea makes sense to me. It’s done in basically the same way as the windows credentials exploit, just using the Mac version of SMB, and is plausible.

Zoom's big response and apology

April 1 | Apology Day

The biggest part of this is that they decided to freeze feature updates for 90 days while they focus on security. They also decided to consult 3rd party experts to analyze their security. They launched a weekly webinar as well to go over privacy and security updates. Of course they make the necessary apology for everything they’ve done in March. This all seems really good, like they are really trying to make things better at Zoom Video Communications.

Elon Musk's SpaceX bans Zoom

April 1 | Date of Discovery

SpaceX sent out an Email on March 28th telling it’s Employees not to use Zoom, and that they disabled it on employees computers. This was one of the first public instances of a company banning Zoom, and is an important move. As far as anyone can see this is just a precaution from SpaceX, but potentially important because if there is anything else wrong with Zoom, or any data being stolen this is the best way to be protected. The article also mentioned that a NASA spokeswoman saying NASA isn’t using Zoom either.

Former NSA Hacker finds more vulnerabilities

April 1 | Date Disclosed

The 2 bugs allow for a hacker with physical control of a computer could use the Zoom vulnerabilities to take control fo a computer and gain root access where they can install malware and spy on the webcam or microphone.

Zoom fixes root vulnerabilities

April 2 | Date Fixed

Zoom again quickly fixes their mistake and apologies. This was the 2 bugs discovered by the former NSA hacker. It really shows their focus on features before security.

MacOS installation fixed

April 2 | Date Fixed

Zoom again quickly fixes the issue after it’s pointed out by the media. This was obviously something they meant to implement in the first place, but they did decide to change it to how it should be. It’s good that they fix it, but man they just keep having issues.

Zoom displays LinkedIn profile

April 2 | Date of Discovery

A data-mining tool was used to find certain Zoom users’ LinkedIn profiles. They have to have a service called LinkedIn Sales Navigator. This is a pretty obscure issue, but is just another one there.

Tool can find unprotected Zoom meetings

April 2 | Day Designed

14% of the time this tool will find a real Zoom meeting ID, and also find 100 meetings in an hour. This is just another thing that should encourage people to properly protect their meetings, since a tool like this would probably be developed for any popular conferencing program.

DIY encryption

April 3 | Day of Discovery

Zoom had developed its own encryption to use which is technically AES-128 in ECB mode. That’s a bunch of technical stuff that doesn’t really matter, but what does is it just isn’t very secure, and they claimed to be using AES-256 which they just aren’t using. This just isn’t as secure as it should be and they claimed it was. This encryption mistake is just either another one of their terrible security mistakes, or maybe—and this is a little conspiracy like—they are purposefully leaving data not well and fully encrypted (I don’t necessarily actually really believe this). The report also brought up concerns over some data being sent through China and governments targeting Zoom for intelligence gathering.

Zoom responds to encryption and China

April 3 | Day of Response

In response to their lackluster encryption Zoom accepted that it was bad, apologized for it being bad and says they’ll get to fixing it, ok. That’s good, I guess. Now it’s time for their response to sending data through China. Zoom said the plan was to keep geofencing around China, not letting calls outside of China go into China, and not letting calls inside of China go out of China. While dealing with increased demand in February they accidentally added two new data centers in China to a list of data centers out of China so some calls at busy times could be routed through China. They assured us that this did not affect Zoom for Government. The reason that matters is that when web traffic goes through China, we don’t put it past the Chinese government to snoop. And now quitzoom.com is not getting through the Chinese firewall (if it even would before). Oh well.

US Congress sends a letter to Mr. Eric Yuan

April 3 | Date of letter sent

Some members of the United States Congress wrote a letter to Mr. Eric Yuan, CEO of Zoom asking about their data collection overall and related to specific instances. For example they asked about what data they collect from users with an account and for how long. Users without an account? They also ask if attendees are made aware of certain features turned on by the host. This letter could have had some affect because some of these features were removed, but what I want to know is Zoom’s response to this letter.

Easily find Zoom calls on internet

April 3 | Date of Discovery

The Washington Post found out that Zoom automatically uses a very predictable naming scheme for recordings of Zoom meetings which made it very easy to find recordings, sometimes private ones, online. The specific instance mentioned by the Post uses unprotected Amazon buckets. The only fault with Zoom here is that they don’t force you to name recordings, but this is really a tiny nitpick. I’m not saying much but I will say using just that information and some Googling I found exactly what they referenced in the article. To be a good internet citizen I’m not telling you how to do it, but I will say my email is skyler@quitzoom.com.

Note (added 4/16): These have to be recordings recorded then uploaded somewhere seperate from Zoom’s cloud. Someone could unknowingly upload them to somewhere exposed, but they do have to purposefully take action for this to happen. The best place to upload recordings is a private Dropbox, Google Drive, or similar file sharign service set to private. YouTube unlisted is usually fine.

Third Zoom lawsuit

April 3 | Date filed

Another class-action lawsuit filed against Zoom. This one fights the same one as the others, the iOS app sending data to Facebook, the claim of end-to-end encryption and a webcam vulnerability. 

Eric Yuan makes another apology

April 4 | Date of Apology

Zoom CEO Eric Yuan basically apologizes for everything thus far in an interview with the Wall Street Journal.

Zoom enables passwords by default

April 4 | Date of Update

Zoom turned on passwords and waiting rooms by default on free accounts, single user accounts, and education accounts. That’s good and secure. It just is. A round of applause to Zoom for this one, I have no criticism.

New York City school's ban Zoom

April 4 | Date Announced

The New York City Department of Education made the move to ban teacher’s use of Zoom for live teaching and other educational uses in the city. They did this because of security and privacy concerns and is a great move toward being more careful of Zoom. There are concerns with this though, because it will most certainly disrupt the education patterns teachers have set up now using Zoom, which just isn’t good.

EPIC asks for an FTC investigation

April 6 | Date of letter sent

EPIC stands for Electronic Privacy Information Center and they wrote an open letter to the FTC asking for an investigation into Zoom’s security and privacy issues. This is a large step in the right direction, if government and government agency’s get involved we can find out if we should be using zoom—and maybe we should, I’m just saying we can’t know for sure right now. 

Zoom furthering government lobbying

April 6 | Date of interview

Really this is fair to expect from a company that is in an envrionment with a lot of legal pressure and in a new day and age of COVID-19.

Zoom accounts on dark web

April 6 | Date of Discovery

Zoom accounts were found being sold by hackers on the Dark Web. This is nothing to blame Zoom over, this happens for all programs and it just is a reminder to use different passwords, maybe a password manager, and check haveibeenpwned.

Taiwan bans government use

April 7 | Date of Ban

The Taiwan Executive Yuan—not to be confused with Zoom’s Eric Yuan—is a Taiwanese government branch and has ordered the government to stop using Zoom and be more careful about their video conferencing tools. I think that’s important, we as a society need to be careful of what we sign up for and use. This is also a good move from a government as they wouldn’t want any secrets exposed through inadequate encryption or other Zoom shortcomings.

Fourth Zoom lawsuit

April 7 | Date Filed

This lawsuit, filed by a shareholder of Zoom, alleges that Zoom has “inadequate data privacy and security measures.” This lawsuit did make the news, even though the second and third didn’t and I think it’s just because there was less other news around April 7.

First Zoom security webinar hosted

April 8 | Date of Webinar

Zoom called this the “Ask Eric Anything Webinar” and it was hosted on Zoom and streamed on YouTube. As far as I can tell he answered questions from people in the Zoom webinar. He said Zoom will update their encryption to be standard AES-256 as it should be with keys generated by the users. He also said the only data taken from meetings is metadata to help with analytics, which is very assuring to hear. It was also mentioned they disabled the file sharing feature to investigate a security issue with the feature which is great. They really do appear to be trying to improve.

Meeting IDs removed from title bar

April 8 | Date Updated

Zoom updated the software to remove the meeting ID from the top of the Zoom window during Meetings. This makes it harder for anyone to share the meeting ID. That’s both good and bad. Good because it makes it harder for people to quickly share meeting IDs and plan “Zoom bombing raids.” This is bad though because people won’t be able to allow their friends to join meetings as easily, but I see this all as good because this is the first time we see zoom really choosing security over ease of use. That is absolutely a step in the right direction and maybe more of this will make Zoom a safely usable software.

NPR interview with Eric Yuan

April 8 | Date of Interview

Let me just share with you what he said: “When it comes to a conflict between usability and privacy and security, privacy and security [are] more important – even at the cost of multiple clicks.” That is brilliant, not only are their actions saying that they want to focus on security, but now their words are too. It looks good for Zoom coming back and becoming a truly secure platform. I would encourage you to read the interview because it does help you understand what it has been like for Zoom and Yuan.

Zoom hires former Facebook Security Officer

April 8 | Date Announced

I would like to start this off by saying that I have nothing against Alex Stamos, who Zoom hired. Stamos used to be the Security Officer for Facebook and Yahoo, and he is probably really good at his job. But if I were Zoom I wouldn’t hire someone who managed Facebook’s security because they don’t have the best security record. This probably is a good thing for Zoom though and it probably will improve their security, it just didn’t make for good headlines.

Zoom bugs being sold for high prices

April 8 | Date of Discovery

This makes perfect sense, when you have popular software you will have people finding and selling bugs. We can only hope Zoom is also finding bugs and fixing them—hopefully.

Google bans Zoom

April 8 | Date of Discovery

In an email sent to Google employees in the week of March 30, Google told employees not to use Zoom on work laptops and that the program would stop working soon. This adds to the list of companies doing this which also includes SpaceX and Nasa. This is a good move for a company that wants to keep machines and secrets safe.

German Foreign Ministry bans Zoom

April 8 | Date Announced

This is just one part of the German government, but they made the decision to ban Zoom. The government said each ministry can make it’s own decision on this. This is just one of many examples of companies protecting their security and privacy by switching away from Zoom.

Singapore bans Zoom education use

April 9 | Date Announced

This is another instance of countries taking the lead as the Singapore Ministry of Education stopped the use of Zoom countrywide, but this time it wasn’t because of security issues but instead serious Zoom bombing in the schools. That’s a great reason to stop using the platform as well, but I could foresee them quickly bring Zoom back into education.

US Senate asked not to use Zoom

April 9 | Date of Discovery

This isn’t a ban, but due to security issues they asked senators not to use Zoom for remote work. Good.

DOD using Zoom for Government only

April 10 | Date of Discovery

Zoom has a special version for Government customers that uses special cloud servers. The US Department of Defense told it’s employees for work to make sure they use Zoom for Government and not the Free or Commercial options. The purpose of me mentioning this is mostly to just explain the existence of Zoom for Government.

Zoom Security Webinar #2

April 10 | Date of Discovery

This is the second week of the “ask Eric anything” webinar. He summarized everything they did for security in the week before and announced reporting a user to come on 4/18. He said that all accounts will have wating rooms and passwords on by default and education accounts will require it. That’s important and fantastic for helping with security and Zoom bombing. While It’s not a perfect solution it is getting closer. He did announce some more, but that’s what’s signnificant. In the Q&A part he said they are working on improving their 256-AES encrpytion—I’m working on seeing if they ever switched from 128- to 256-bit. This does make me think that Zoom is trying to improve, but every time they fix something it seems there is something new, so I’m just not satisfied with it yet.

Control countries routed through

April 13 | Date of Announcement

The feature will come on Saturday (4/18). The feature allows for Paid users of Zoom—which doesn’t include most, if not all, school’s accounts—to restrict and select which country they want their call to be routed through. This is a great feature considering their encryption leaves the data unencrpyted in the data centers (or at least I think it still can be, they are not very clear about there encrpytion at all). This is an awesome security feature that is really just good for everyone, which brings me to the problems. Most people won’t know this, like many other secuirty features, exists and will not enable it. The other issue is that most people use Free Zoom and thus don’t have access to this feature at all, so maybe if we use software we should think about paying for it so we can get the best security features, and if we’re paying for it why not pay for something other than Zoom.

Cloud recording vulnerabilites discovered and fixed

April 16 | Date Disclosed

The vulnerabities allowed for a hacker to find Zoom calls that had been recorded with Zoom’s cloud service, which at the time didn’t require a password. Although his tool used the other vulnerability to use the URL to determine the password to some recordings. Often the videos found were still on Zoom’s server after the user had deleted them. The first fix Zoom pushed out on Saturday (4/11) which used a Captcha—you know the I’m not a robot thing—to stop the tool from working, but it didn’t fix either of the vulnerablities. On Tuesday (4/14)  Zoom began requiring users to create complex passwords for cloud recordings, this made it so that the exploit that used the URL to determine that password wouldn’t work on new recordings that required this complex password. This technically didn’t fix either of the vulnerabilities, so recordings made before the change can still be seen if the hacker manually uses the exploits, but ones made after 4/14 are safe. I would like to share with you a quote the secuirty reseacher who discovered this said in an interview with CNET: “Zoom has not considered security at all when developing their software.” This may all seem bad, but there is a good, this time they fixed(-ish) the issue before it came to the public. Maybe we are getting close to a safe Zoom.